Artificial Intelligence in Cybersecurity: A Socio-Technical Framing

Citation: K. Michael, K. M. Vogel, J. Pitt and M. Zafeirakopoulos, "Artificial Intelligence in Cybersecurity: A Socio-Technical Framing," in IEEE Transactions on Technology and Society, vol. 6, no. 1, pp. 15-30, March 2025, doi: 10.1109/TTS.2024.3460740.

Image by Elf-Moondance from Pixabay

Abstract

Rapid progress in Artificial Intelligence (AI) is presenting both opportunities and threats that promise to be transformative and disruptive to the field of cybersecurity. The current approaches to providing security and safety to users are limited. Online attacks (e.g., identity theft) and data breaches are causing real-world harms to individuals and communities, resulting in financial instability, loss of healthcare benefits, or even access to housing, among other undesirable outcomes. The resulting challenges are expected to be amplified, given the increased capabilities of AI and its deployment in professional, public, and private spheres. As such, there is a need for a new formulation of these challenges that considers the complex social, technical, and environmental dimensions and factors that shape both the opportunities and threats for AI in cybersecurity. Through an exploration and application of the socio-technical approach, which highlights the significance and value of participatory practices, we can generate new ways of conceptualising the challenges of AI in cybersecurity contexts. This paper will identify and elaborate on key issues, in the form of both gaps and opportunities, that need to be addressed by various stakeholders, while exploring substantive approaches to addressing the gaps and capitalizing on the opportunities at the micro/meso/macro levels, which in turn will inform decision-making processes. This paper offers approaches for responding to public interest security, safety, and privacy challenges arising from complex AI in cybersecurity issues in open socio-technical systems.

SECTION I.

Introduction

The increasing prevalence of cybersecurity attacks on organizations focused on the provision of large-scale technical systems and the related critical infrastructure of nation states has been observed over time [1]. Traditionally, the impacts of cyber attacks have ranged from direct or indirect strikes on a) commercial organizations and their customers and their customer’s customer, often having a financial impact in the form of ransom, brand damage, and organizational cybersecurity budgets; b) governments and their corresponding agencies whose citizen records have been compromised or whose website portals have been defaced; and even c) large-scale charities who maintain financial and verified address data on donors. Some of the world’s largest online platforms and service providers have been subject to data breaches and continue to increase in severity, scale, and frequency. We now have data breaches of customer records that are bigger than total populations of countries [2].

The stakes have continued to grow with more recent incidents demonstrating that sensitive personal identifiable information (PII), such as health records, have been stolen. Identity theft among other cybercrimes continues to proliferate as financial, insurance, and health institutions are targeted. In addition, there are other forms of cybercrime with wide-ranging motivations, from credential theft, to hacktivism, to insider threats, to industrial and political espionage, to deepfakes [3], and even terrorism through breaches in cybersecurity defences. Moreover, cybersecurity issues can involve accidental publication of data to the Web (i.e., through improper security settings); misconfiguration of security components or cloud computing infrastructure; zero-day vulnerabilities linked to service provider software (e.g., unprotected Application Programming Interface); disgruntled employees (e.g., insider attacks); social engineering (e.g., impersonation); lost data (e.g., on physical storage devices) that has not been disposed of properly, or has been misplaced in a public place; poor physical security perimeters (e.g., stolen computers); and more generally poor organizational security blueprints and employees who lack adequate cybersecurity training (4, pp. 3f).

As almost all services have been digitally transformed, human dependence on these technological systems has grown [5] and continues to increase. This poses challenges whereby if given systems fail, a person or local community may not be granted access to a service and/or may be required to forgo a fundamental human right (e.g., access to drinking water) or to go without, albeit temporarily, a necessity to live and work in the modern world (e.g., access to money, to handheld devices for safety and other purposes, or even to the Internet). When there is a breach in any aspect of one’s personal information, there are a range of cyber harms that may present due to the disruption: physical/digital, economic, psychological, reputational, and social/societal [6]. A member of society can be vulnerable to attack in their workplace, on their own home network, on the personal devices that they carry on a day-to-day basis, and even the medical devices that they may bear.

New targets include devices such as unsecured Internet of Things devices, wearable personal devices, and smartphones at the edge [7]. Individuals may also fall victim to traditional social engineering attacks, phishing attacks, malware, ransomware, SMS scams, unencrypted email communications, and much more. Moreover, individuals may encounter challenges ascertaining what is disinformation versus fact, who they can trust in specific contexts, in addition to indirect attacks that are increasingly automated like Web scraping on social media platforms. Other challenges also exist, resulting in a complex cyberthreat environment that may be difficult to define and navigate by organizations, academic institutions, and other members of society alike [8].

A. Cybersecurity as a Requirement of Human Security

Currently formulations of the cyberthreat environment, and of cybersecurity, tend to be technical in nature and accessible / comprehensible by certain stakeholders, resulting in ambiguous conceptions of security, including human security and cybersecurity more specifically. This is problematic, as security is a fundamental human requirement. Alkire [9] defined “human security” as: “[t]he objective... to safeguard the vital core of all human lives from critical pervasive threats, in a way that is consistent with long-term human fulfilment”. Human security is subject to the reliability of technological systems, and those who govern the systems. The control capability can be highly asymmetric between those who can provision and those who can withdraw that provisioning through deliberate action, market forces, poor maintenance of physical systems, or sheer ignorance. Stolen digital assets can evoke feelings of distrust in once trusted service providers and systems of market exchange and interaction, as well as doubt in legal protections, and general disorientation about the government’s ability to act on behalf of citizens. Cyber attacks, in whatever form, can also create feelings of anxiety, fear, helplessness, and anger across society [10].

Responses to cyber harm must go deeper than simply band-aid solutions, such as asking an individual to change their password or order a new passport, health insurance, or credit card. Specific attention must be granted to the one who has been harmed. Equally, collective responses to cyber harms are critical for vulnerable communities, as these harms may further exacerbate existing sentiment toward power structures and amplify existing disparities. Select government agencies have focused their nation-wide educational campaigns on cybersafety (the protection of people) as opposed to cybersecurity (the protection of data). To date, government agencies have lacked mechanisms to engage and consult directly with the public about how to best combat the problem of individual attacks, attacks that destabilize organizations that citizens subscribe to as customers and disrupt flows of communication to critical government entities like Social Security that affect almost the entire population.

B. Outline

This paper is divided into seven sections. We will first explore the cyberthreat environment as a means to provide a backdrop for the research, prior to addressing “AI in cybersecurity” in terms of what it is and its emergent relationality. Section II focuses on presenting the socio-technical conceptual framing, the stakeholders in the cybersecurity ecosystem, and the top-down methodology applied in this study. Section III opens with the current gap in the literature and then presents five thematic areas demonstrating the changing nature of cybersecurity and the responses to date from traditional cybersecurity scholarship, to understanding supply chain vulnerabilities and the formation of ecosystems, to grappling with uncertainty and risk and human factors, to current responses touting the benefits of multidisciplinary and multi-stakeholder approaches in addressing complexity in technology convergence. Section IV identifies ten gaps in the dynamic cybersecurity landscape and opportunities in future AI and cybersecurity research, Section V the findings of the investigation toward a better understanding of AI in cybersecurity, and Section VI the roadmap providing a way forward, before the recommendations are presented in Section VII, identifying the limitations and risks of the study.

SECTION II.

Conceptual Framework and Methodology

A. Socio-Technical Conceptual Framing

Fig. 1. Multi-tiered Socio-Technical Perspective.

A preliminary step in the process of learning and evolving in the context of the cyberthreat environment is to understand the system in question; the AI in cybersecurity system as an intricate and interconnected socio-technical ecosystem [11]. This system is complex, is attempting to satisfy multiple criteria and objectives, and contains a multitude of components, subsystems and dimensions that interact and are linked together in many ways. Significantly, the nature of this socio-technical system is not entirely known. AI in cybersecurity will remain a dual-use technology—creating both benefits and risks [1], [12]. Thus, future AI-enabled systems (and their human operators) will have to learn and evolve to keep up with a constantly changing cyberthreat landscape.

Fig. 2.

Socio-Technical-Environmental Dimensions.

This paper seeks to reformulate AI in cybersecurity from a socio-technical perspective, with the intention of employing a socio-technical framing allowing for enhanced understanding of the opportunities and challenges of AI in cybersecurity. Broadly, a socio-technical system “is one that considers requirements spanning hardware, software, personal, and community aspects. It applies an understanding of the social structures, roles and rights (the social sciences) to inform the design of systems that involve communities of people and technology” [13]. Thus, in the context of security and cybersecurity, “socio-technical” refers to the interplay between users, technology, and processes [14], [15]. This perspective draws largely from the foundational principles of socio-technical theory, a detailed review of which can be accessed in Abbas and Michael [15]. As has been noted by several authors, including Appelbaum [16] and Carayon et al. [17], an organization should be seen as a complex socio-technical system [18] that can be impacted by outside forces stemming from diverse players, and as such, it can be susceptible to the influence of the external environment within which these forces exist. Davis et al. [18] point to more than just customers in that environment and give the example of a regulatory framework that has been enacted by the government and may affect how an organization attains its goals. The socio-technical framing also applies beyond the organizational/ community (meso) context, to the individual (micro) and societal (macro) levels and application [19], [20], [21] (Fig. 1). This multi-tiered, socio-technical perspective offers a rich understanding of socio-technical dimensions at the respective levels and allows for a more accurate depiction of the opportunities and challenges of AI in Cybersecurity (Fig. 2).



B. Stakeholders in the Cybersecurity Ecosystem

Stakeholders that belong to the cybersecurity socio-technical ecosystem can be considered at three levels: (i) macro - society as it pertains to a local/ national/ international context inclusive of the governance structures and mechanisms; (ii) meso - organizations at any level involved in the provisioning of AI in cybersecurity infrastructure and services, or organizations seeking to update, introduce and or integrate cybersecurity infrastructure and services within their existing operations; and (iii) micro - individual human beings with commensurate rights who are personally identifiable in the context of AI in cybersecurity and may interact with/ be affected by AI-based socio-technical systems.

The primary audiences of this paper are national and intergovernmental agencies and local and transnational business entities directly responsible for societal securitization and fundamental human needs (e.g., safety), especially for the care of and provisioning for vulnerable members of the community. A secondary audience includes academic and research funders and councils, and other indirect stakeholders such as non-governmental organizations, who attempt to observe, study, warn, and respond to security-related incidents, share information at a national or international level, build technical standards and industry solutions, develop, and provide enforcement of laws and legislation, and protect consumers and their data. The tertiary audience of this paper is individual members of society who have dual or triple roles within civil society; for instance, they may simultaneously assume multiple roles such as being members of the public, working with funding bodies and be employed in an organization as an example. These individuals are vital in the transmission and dissemination of information pertaining to cybersecurity both within their households and extended social (such as family and friendship) relations.

Thus, the research gaps are pertinent to academia, the roadmap is relevant to all stakeholders, and the recommendations section can be adopted and implemented, particularly by government and industry stakeholders. Additionally, the gaps, roadmap and recommendations are accessible to all stakeholders for information dissemination and other purposes.

C. Method: Top-Down Approach

A literature review was conducted in April-November 2022 with multiple revisions, with the purpose of determining the current landscape of AI in cybersecurity. The intention was to review existing literature to formulate a unique, socio-technical interpretation and framing of the prominent themes relevant to AI in cybersecurity, from a multi-stakeholder perspective. The literature review widened the scope of current understanding of AI in cybersecurity by moving beyond the organizational setting toward a societal and values-based view. This was achieved through the collection of select seminal peer reviewed literature across the organizational and information security corpuses inclusive of IEEEXplore, ACM, and ScienceDirect using the terms: “socio-technical”/“sociotechnical” and “security”; “socio-technical”/sociotechnical” and “information security”; and “AI” and “cybersecurity”. In addition, more recent studies were also gathered that focussed on the intersection of AI, cybersecurity and socio-technical scholarship more specifically, following a descriptive meta synthesis approach [22] with a view to contribute to existing scholarship a socio-technical perspective and formulation of AI in cybersecurity.

The collected literature was thematically coded using qualitative analysis to uncover dominant topics that were subsequently distilled into five broad themes or areas of emphasis, covering both historical and contemporary accounts relevant to the study of AI in cybersecurity. Out of the hundreds of articles downloaded in the databases searched, only 75 articles were identified as having direct relevance to socio-technical framings of cybersecurity. Of these about 80 pages of qualitative notes were taken summarizing direct quotations and allusions specific to the inquiry of this study. Like summaries were co-located and placed within a historical setting as the field of security developed, and technologies like microcomputers, the Internet, the cloud, and AI were introduced over time having a direct impact on the nature of cybersecurity blueprints, strategies, policies, and solutions. The authors looked for unity of ideas, extensions to theory, breakthroughs in design science research, multi-paradigmatic approaches, and processes and practices in joint optimization of capability domains between the social, technical, environmental dimensions [23], and more. To validate the qualitative analysis, a quantitative content analysis was conducted using the software Leximancer on the same data collected.

Fig. 3 presents a concept map that demonstrates the interrelationships between dominant themes searched in this study: “socio-technical” and “security”. The light tangerine concept has the dominant term “social” located closely with the proximate term “technical” and “socio-technical”, “policy” and “governance”, demonstrating the application of socio-technical theory in the cybersecurity literature. Nearby concepts to this theme also include: “human”, “change”, “cyber” and “cybersecurity”, “requirements” and “development”, as well as “need” and “complexity”. The importance of socio-technical approaches is thus exemplified as the adjacent concept idea of a cybersecurity “framework” to “support” “workers” and “online” “users” is present. Other adjacent concepts include “security” “systems” and “management” with respect to secure “software”.

Fig. 3. Concept map of “socio-technical” and “security” literature.

Fig. 4. Concept map of “socio-technical” and “information security” literature.

A second concept map (Fig. 4) was generated with a specific search on “socio-technical” and “information security” literature. The concept map demonstrates where previous works have focused attention in this sub-field of cybersecurity, which is on the application of formal methods (light red and aqua concepts) that take advantage of mathematical models to study complex systems and verify their system properties. In particular there have been numerous studies that used formal methods in the analysis of trust (purple concept). In the light gold concept can be seen socio-technical security frameworks and terms, in addition to the light green concept which emphasizes “risk” as a major concept and links better “security” of “systems” with “information measures” and “resources” and “access” to information by “agents” who “value” risk mitigation. While there are overlaps in dominant themes, concepts and terms between Figures 3 and 4, it is obvious that the more specific search in Fig. 4 yielded a more technical response, whereas the broader search on “socio-technical” and “security” (Fig. 3) yielded a more balanced response between the “social” and “technical” dimensions. The “environmental” dimension was prevalent but lacking in shared meaning, terms like “governance” and “policy” instead prevalent in the literature, as opposed to explicit use of terms like “law”, “regulation”, “standards”, and “compliance”.

Importantly, this reformulation, following after Islam et al. [24], was of existing scholarship regarding cybersecurity, artificial intelligence, and societal implications. It was valuable in so far that it was used to identify socio-technical considerations, implications, and gaps in existing scholarship, highlighting areas for future research. The purpose of this paper is to present a reformulation of AI in cybersecurity from a socio-technical perspective, while proposing a research roadmap that is expected to have material implications for stakeholders from a research, policy, and practice perspective.

SECTION III.

Review of Literature

To date there have been a variety of technical papers [25], [26], [27], [28], [29], [30], [31], [32], [33], [34], [35], [36], [37], [38], [39]; and policy-oriented papers [40], [41], [42], [43], [44], [45], [46] that have looked at the growing developments and implications of AI in cybersecurity; however, there has been little focus on AI’s socio-technical considerations from an integrated multi-layered and multi-stakeholder perspective. This has resulted in a lack of attention to human factors or larger socio-technical ecosystem concerns that shape whether or to what extent AI in cybersecurity yields risks or benefits in different contexts and for different members of society within communities of interest. It is critical to recognize that cyberharms persist at three levels: individual (micro), organizational / community (meso), and national / international / societal (macro) causing direct and immediate harms, indirect harms, and short- and long-term harms to people and property [47], [48], [49]. These have varying physical, economic, reputational, cultural, psychological, political, and other effects. Traditionally, the “human” has been identified as “the problem” and the “weakest link,” but it is clear from data breaches over the past years that responsibilities for AI in cybersecurity will need to incorporate human-centred solutions within companies and government agencies [50]. Thus, applying a socio-technical lens may provide a better approach to both understanding and addressing AI in cybersecurity issues.

In response, this paper employs a socio-technical approach to AI in cybersecurity, acknowledging that cybersecurity requires more than just a technical or policy dimension. It also requires incorporating with equal emphasis social and environmental considerations and their corresponding interrelationships, as well as patterns and trends in the interactions between micro, meso and macro level considerations. The paper will provide an alternative multidisciplinary vision for understanding and anticipating the nexus of AI and cybersecurity and its effects on society at large and will provide guidance in the form of a research roadmap.

The literature review takes a chronological view of cybersecurity, demonstrating how the field has changed over time, and will continue to change given the impact of artificial intelligence (AI), among other emerging technologies. Initially, the emphasis of the review is on the increasing dynamism and complexity, brought about by the Internet on organizations, supply chains, and operations. The latter part of the review is not merely how to understand the new threats that AI poses on cybersecurity, but how to problematize the intersection of the space using socio-technical theory, which seeks to jointly optimize issues pertaining to humans, technologies, and related processes. The review can thus be understood to go beyond AI, offering an underlying framing for how to address new threats that may be introduced by technologies and their emergent applications. Five themes are presented, culminating in the need for multidisciplinary and multi-paradigmatic responses to cybersecurity. These themes should be considered at the government/societal (macro), industry/ community (meso), and individual (micro) levels.

A. Theme 1: Traditional Cybersecurity Scholarship

As we look at the changing landscape of cybersecurity, it is important to consider that before “cyber” as a concept became prevalent, “security” as a domain of study was firmly established, although the focus was typically on military tactics on the battlefield. According to Samtani et al. [51], an organization-centric perspective was largely adopted in computer security, and thus in relevant literature.

Organizations today, due to the growth of communications, may have a presence in more than one location, often in more than one country, requiring dedicated internal networks (intranets) to facilitate information access, exchange, and collaboration. This environment has supported the development of multinational and transnational entities that cross borders where different laws and regulations may apply. Increasingly individuals and companies are forming such “transnational networks that pay absolutely no heed to national boundaries and barriers” Angell 1995, p. 10 quoted in [52].

With the rise of the public Internet, online services flourished, allowing for communications between users and providers that were distributed with a global reach. Security became focused on online applications, the storage of information in a digital format, and thus “cyber” security was born to respond to various forms of connectivity: intranets, extranets, and the Internet. Managed network services soon developed into Cloud solutions, and data demands grew exponentially through the increased use of personal devices, self-service business models, and government digital transformation initiatives. The idea of “vectors of attack” was born as the number of unsecured devices commensurately rose, as did the methods of attack with the introduction of wireless fidelity (wi-fi), smartphones, and the Internet of Things (IOT) [53].

The CIA (confidentiality-integrity-availability) triad model, despite its many limitations, was used for decades to ensure organizational-centric security [54]. Confidentiality was required to ensure data remained private through the concealment of resources; integrity was required in order for data and software to only be changed in an authorized manner, ensuring trustworthiness; and availability was required for the proper functioning of a system by authorized users, free of attacks, ensuring reliability and robust systems design [55], [56]. But these “technical controls” were developed and intended for a very different setting when contrasted with the modern organization [57]. Whereas once the emphasis was purely on the machine and the place in which the machine resided to guarantee security, there has been a departure from these lines of inquiry in scholarship “towards a wider socio-technical reconsideration of its core concepts” [57].

According to Samtani et al. [51] there are two types of cybersecurity data. These can be defined as internal cybersecurity data that pertain mainly to assets to the organization (such as data storage, network-based fingerprint data, biometric data) and external sources of data that are available in the public domain (such as malware repositories, news media sources, carding shops). Knowing where data is stored or passed through is just as vital as knowing how to guard against data loss and data leakage. The first sign that an asset (a network, machine, device, or data), is under duress and may be compromised comes through the detection of anomalous traffic behaviour (e.g., too many login attempts, excessive upload and downloads based on historical patterns for benchmarking, and abnormal signal strength, among other signs). By bringing together internal and external data sources for protection, the organization remains informed internally about the health of an asset, and externally about other examples that may forewarn about common attacks and changes to environmental settings.

The lessons are clear; we can no longer rely on just technical responses. The defences have proven too easy to overcome. According to [24], it is evident that organizations still emphasize the “technical.” Specifically, they emphasize the technological responses to cyber attacks and cybersecurity challenges at the expense of the social. Yet, the vectors of attack have grown so much that fool proof security blueprints with layers of security still suffer from what is known as “implementation gaps.” Importantly, social engineering techniques can still play an important role in any hack.

B. Theme 2: Going Beyond the Organization: Supply Chains and Ecosystems

A supply chain is several organizations connected both logically and physically along the supply process, toward the production of goods and services for distribution to customers. Dhillon and Backhouse [52] emphasize that the structures of supply chains facilitate intense sharing of data and information and are characterized by “a high level of interpersonal and inter-organizational connectivity.” This means a breach in defences in one organization will be transferred across the supply chain and perpetuate the problem. A vulnerability in one layer of a single organization is a vulnerability across the supply chain from producer to distributor to retailer and ultimately to the customer.

Cybersecurity has gone from an organizational-centric concept to a national and global affair and is increasingly about critical infrastructure that support individuals in society. The greater the number of cybersecurity attacks, the more the local and national contexts are undermined. Security is a communal good that requires participation from all sectors, systems, and structures that needs to be sustained. A socio-technical strategic focus to information security attempts to achieve effective security, holistically, “through the application of multiple organizational and social alignment mechanisms combined with competence in technology” [58].

The need to respond to increasingly global security requirements that have local impacts, cuts across the three layers top-down or bottom-up. Upper-layer security analysis undoubtedly has an impact at the lower layers, and lower-layer security analysis undoubtedly has an impact on the upper layers [59]. Security vulnerabilities are not isolated incidents that can be “plugged”; the exposure in one layer carries across to other layers up and down the stack. The authors call this approach “multifaceted” where cybersecurity extends beyond being simply a “technical issue,” towards being understood as a “business issue” that executives and senior management can no longer ignore because of fiscal and reputational brand repercussions of data breaches, not to mention the implications on people’s privacy.

The ecosystems perspective relies on top-down and bottom-up approaches, which is generally referred to in the literature as a “hybrid” approach, that is in alignment with the methodology employed in this paper [24]. Bauer and Dutton [48] describe a range of actors in the “cybersecurity” ecosystem. Stevens [14] describes these actor relationships as “complex assemblages” and names “players” such as military/ intelligence personnel, users/ citizens, hackers, organizations, and others (Fig. 5).

Fig. 5. Complex socio-technical assemblages in the cybersecurity ecosystem.

Using an ecosystem view, stakeholders can come together to share their perspectives, and to voice the issues that are important to them and their constituents. Hodson and Marvin [60] describe this very practically when they write: “‘[e]ffective’ responses to these pressures are thus predicated on multiple challenges, multiple actors and multiple levels that require effective coordination to inform control of infrastructure systems.” Framing cybersecurity as a dynamic process within an ecosystems-based framework allows for those human-related risks to be better understood, exposing more complicated interactions at multiple views (cyber/physical/social) at the micro-meso-macro levels within an environmental context where events and actions have consequences. Understanding the complex processes taking place requires the adoption of theories from diverse fields including biological sciences, sociology, cultural studies, and computing/socio-technical systems [24].

C. Theme 3: Humans, Risk, Uncertainty, Complex and Dynamic Systems

As has been noted above, systems today may be described as dynamic. Farber and Pietrucha [61] describe not just interconnectedness between organizations but interdependencies of large-scale, complex socio-technical infrastructural issues. To complete this picture, a security breach in a single socio-technical infrastructural system will have a ripple effect throughout the entire end-to-end system, albeit for a short time until the system returns to a steady state.

Wu et al. [62] attempt to articulate where the complexity being experienced stems from and deduce that it comes about because of “interactions and interdependencies between a diverse range of social, technical and contextual elements in and around the system.” Modelling modern socio-technical systems in critical infrastructure and services such as transportation, organizational systems and energy infrastructure is a very challenging task. However, the ability to model is essential to the design, development, and delivery of modern systems, particularly in socio-technical systems engineering and decision support. Zimmermann and Renaud [63], drill down further in describing the social, technical, and environmental elements in socio-technical systems. Pertaining to the issue of cybersecurity, they describe such elements as computers and networks (technical subsystem); human actors in different roles and with different levels of security expertise (social subsystem); and governance structures, operating systems, and the influences of the wider environment (environmental context) (figure 5).

Short of saying we cannot simply focus on the “technical” in cybersecurity, Zimmermann and Renaud [63], pronounce that we have to do “Cybersecurity, Differently”. They emphasize that you cannot simply “home in” on a single component, hope to “fix it” and move on. That is not how socio-technical systems work given their complexity. Such an approach would be unrealistic because of “the emergent nature of the underlying system’s outcomes.” We would add that it would be unrealistic because the system works through interactions of components between subsystems and not on singular “anything.”

Samtani et al. [51] describe the importance of cyber threat intelligence, inclusive of threat and actor identification in the interest of informed decision making. To become more resilient there must be a greater level of intelligence; this intelligence seeks to detect patterns and trends that might well serve to be effective in scenario planning. This is where AI can be incredibly useful in detecting anomalies in incoming and outgoing network traffic; patterns in Wi-Fi signalling; login attempts; pattern recognition (biometrics); etc. While these pattern detection techniques seek out exceptions, they are for the greater part emergent, but grant some mechanism with which to combat threats.

Stevens [14] suggests that users can often be perceived as a threat vector. Insider attacks, referring here to members of an organization, and users in general, have traditionally been called the “weakest link” in cybersecurity. Islam et al. [24] concur that human behaviour and human error can be considered as threat vectors or sources. Yet, as noted by Zimmermann and Renaud [63], merely “[l]abelling human actors as “the problem” does not acknowledge their ability to detect anomalies and halt attacks.” So, as much as humans are responsible for attacks on global networks, even through insider attacks [14], humans are also responsible for devising responses to known attacks, or working in security teams to address unfolding attacks as they happen unexpectedly in an organization.

Cybersecurity is not only a computer science or technical challenge, but increasingly (and in no small part driven by emerging AI technologies) it is a sociological, economic, and behavioural challenge. The act of securing our cyber existence is not yet a universal mindset. And the question is, how to make it so? How might we be able to utilize socio-technical theory to encourage the application of cybersecurity in every facet of our digital and off-line realms? In effect, the hope is to change the mental models of users. It is proposed that one way to shift these mental models is through educational campaigns, although measuring what effective might mean is complex in its own right. Dupont [64] grants a security mindset definition specifically for Internet users, defined as “a set of attitudes, beliefs and values that motivate individuals to continually act in ways to secure themselves and their network of users, such as by acquiring technical skills, new practices or changing their behaviour online.” Yet, as Farber and Pietrucha [61] point out, we must study closely why stakeholders may have different “mental models” of how infrastructural “sociotechnical systems function, even for supposedly the same systems, which is valuable knowledge for understanding “whole” systems of systems functioning.” We need to develop information security capabilities at the management, operational and tactical levels as well as to continue to train competent security-centric personnel.

D. Theme 4: Socio-Technical Framing of the Information Security Paradigm

Clearly there is a need to consider how we may be able to address the issues, concerns and dilemmas raised in the previous sections. One suggestion prevalent in the literature is to understand the information security paradigm through socio-technical framing. Paja et al., [65] make the claim that “today’s systems are Socio-Technical Systems (STSs).” The authors note that these STSs consist of participants—inclusive of humans, organizations, and software—that are autonomous and can interact with one another to achieve tasks. Security within socio-technical systems must not be seen merely as a technical challenge, but social components also need to be considered: “Today’s systems are socio-technical, for they are an interplay of social actors (humans and organizations) and technical components (software and hardware) that interact with one another for reaching their objectives and requirements” [65]. Following this research, Paja et al. [65] and Mujinga et al. [66] call for information systems design (ISD) strategies that can address both the social aspects and technical aspects, utilising the socio-technical systems (STS) approach.

Griffith and Dougherty [67] further elaborate citing Rogers [68] that the socio-technical perspective breaks down an organization into a social system that is made up of people that utilize tools, techniques, and knowledge (technical system), to make something tangible or offer a service to a customer base. Customers/subscribers are defined as members of an organization’s external environment, as they sit outside the physical and logical boundary of an organization. What is important is not that there are two individual systems, a social subsystem, and a technical subsystem, but how well these two systems are designed to interact with one another with respect to the demands of the external environment. The better the interaction between an organization’s products and services and the external environment (e.g., customers and other stakeholders), the more effective the organization. However, turbulence in the external environment can impact an organization as it keeps adding to the complexity already being experienced Susan and Mykletun [69] cited in Malatji et al. [23].

Without overemphasising the importance of the “social” over the “technical” or the “technical” over the “social,” better understanding of human factors is vital for the success of security management in the modern organization. Worm et al. [70] cite Johnsen and Veen [71] who refer to the “human factor” as an interdependent network in “recognition of the importance of modelling the socio-technical system as a whole.” Dupont [64] similarly agreed that technologists and sociologists alike had to adopt a cybersecurity mindset. A mindset was not just about thinking and theorising but about actions. The social and cultural dimensions of cybersecurity were critical, Dupont [64] argued, and needed to be “addressed alongside allied efforts to enhance educational, technical, organizational, business, policy, and regulatory approaches to cybersecurity”.

E. Theme 5: Balanced Multidisciplinary and Multi-Stakeholder Approaches

TABLE I Identification of Gaps in the Dynamic Cybersecurity Landscape

We return to the fundamental premise that we need more than one discipline to respond to cybersecurity issues. As described by Beekun [72] in Malatji et al. [23], STS “seeks to optimize the alignment and correlation between the social and technical dimensions of a system, while considering the system’s environment.” We deduce a holistic approach is required. Cited in [57], Dhillon and Backhouse [73] draw on two empirical studies and warn that the result of an imbalance in the three subsystems of any socio-technical system will lead to uncertainty. This has the effect of creating complexity, which ultimately introduces inherent risk to an STS. Reference [73] elaborate that this is “due to the continuous and out-of-control interactions of the technical, formal and informal sub-systems”.

While traditionally the “human” was situated as the “problem” in security, Zimmermann and Renaud [63] have highlighted in their seminal paper a movement toward viewing the “human” as the “solution.” However, this perspective too can be seen as unbalanced as it pays more attention to the significance of the social subsystem rather than acknowledging that the social subsystem is just as important as the technical and environmental subsystems. The literature points to the short-sightedness of making a trade-off between social and technical issues. Enhanced psycho-social awareness of causes of cybersecurity breaches will not prevent an attack if the artefacts required to protect an organization’s data and network are so poor that they can be easily compromised. Here we return to the ideas already presented above of holism, balance, and interconnectivity, and stress the need for the incorporation of positivist, interpretivist, and critical methods to provide a clearer picture of how artificial intelligence may well impact the field of cybersecurity.

In Fig. 1 depicted in Samtani et al. [51] a multidisciplinary perspective is presented, incorporating socio-technical, organizational, regulatory, cultural, cognitive, and psychological factors. Interrogated from a diverse array of perspectives it becomes possible to better understand how AI can be used to assist in decision-making of cybersecurity risks and responses that may need to be executed in near real-time. A multidisciplinary AI for cybersecurity roadmap includes a three-pronged approach incorporating (a) cybersecurity applications and data, (b) advanced AI methods, and (c) AI-enabled decision making. The process broadly considers (1) emerging application areas that have data source demands and whose data can be pre-processed for representation and analysis in a refined manner; (2) the gathered data then undergoes a multi-view and multi-modal analysis using explainable and interpretable AI approaches and human-machine interfaces that are augmented to enable; and (3) AI-based cyber-defence and resilience toward automated cybersecurity predictions and dashboards that allow for the visualization of events in real-time [51]. In many ways this process as presented by Samtani et. al. [51] is reminiscent of the Observe, Orient, Decide, Act (OODA) loop [74], incorporating the power of artificial intelligence in defence. But the same principles may apply in offence.

Socio-technical systems by their very nature require multi-dimensionality because they are composed of multi-stakeholder relationships, and are based on knowledge stemming from multidisciplinarity, and are in fact a multi-paradigmatic approach. Kianpour et al. [75] candidly consider and see the usefulness of adopting the multi-paradigmatic approach, which is to a degree pluralistic, in supporting boundaries and limits to analysing cybersecurity as a socio-technical phenomenon. Multi-paradigmatic approaches require the incorporation of multiple viewpoints from different disciplines inclusive of sociology, psychology, behavioural science, and social psychology. The real challenge may well not be the hackers, or the technical actors in the cybersecurity ecosystem, but the transforming of people’s “consciousness to higher levels of awareness and understanding of oneself, others, and the complex interconnectedness of all things” [75].

SECTION IV.

Gaps and Opportunities for Future Research

The more complex our systems become, the greater the attack plane that can be targeted. A tit-for-tat, ‘catch me if you can’ attitude, will only lead to greater exposures, and misdirected cybersecurity attacks with mass-scale, even global implications. We need to discover and address the root causes of cybersecurity issues, which can only be achieved by exploring and analysing the complex socio-technical system within which AI in cybersecurity, and the related challenges, exist [76]. This does not require merely taking into consideration national and organizational-level risk assessment, but rather considering risk at the individual and or household level. Geopolitical pressures at the national level will have flow on effects, and governments must remain cognizant that interferences by state and non-state actors on critical infrastructure providers and major organizations, will have a direct impact on individual citizens and their respective households and communities at large [76]. This fragmentation will require new architectures for international AI governance [77], [78].

Within an environment open to destabilization, and factoring in the multiplicity of scenarios, it is easy to assume that the future of AI in cybersecurity is one void of human intervention: an entirely autonomous vision [76]. This is a consequential misconception when discussing the potential of AI in cybersecurity. That is, a human can, and in most instances should, be kept in the loop. Specialists must work with AI and keep striving for its appropriate and optimal use, and not become complacent or over-reliant on third party ML-based solutions [76]. External data sources can provide new sources of intelligence with respect to the latest cybersecurity attacks, the development of new information on the latest forms of attack, and the construction of a customized cybersecurity knowledge repository that can act as an aid to decision-making for risk managers and security specialists [79].

Gap 1: Human factors are under-represented in cybersecurity research. We are advocating for the integration of human factors (i.e., affordances, cognition, visualization, and perceptions) in socio-technical systems design, requiring a reframing from “humans as the problem” to “humans as the solution” and avoiding the scenario of the “human as exploitable.” Importantly, human factors alone will not address cybersecurity concerns. Those concerns will be addressed by responding using human-machine teaming approaches, that is the human actor working alongside the technology.

Gap 2: Lack of emphasis on human values. These include things personal to us– trust/control, privacy/security, attention/safety, individual vs congruent shared values [80]. Socio-technical systems design requires knowledge of the values of users of cyberspace to ensure cybersecurity and cybersafety are shared values. Trust is emphasized within an entity, between entities, and in the ecosystem at large. Trust in entities in the physical space cannot be auto-replicated or assumed in cyberspace, despite that trust acts as a binding agent in connectedness. Of course, there can also be value tensions between human values, e.g., the need for sharing in a community, and personal privacy which is critical to understand with respect to cybersecurity [81], [82].

Gap 3: Single focus perspective of cybersecurity is limiting. The cybersecurity “problem” is seen through the eyes of a consumer, an organization/ business, government agency, or national security entity. It may also be seen from the perspective of an individual member of a supply chain (end-user, retailer, wholesaler, etc.), value chain or care chain. We are advocating for an integrated view where everyone is responsible for cybersecurity. Responsibilization does not mean that a consumer is used as a scapegoat, or an organization is blamed for a major data breach. Accountability is paramount, especially in government.

Gap 4: Stakeholder mapping of the complex cybersecurity ecosystem is required. Stakeholders in the ecosystem are identified, as are the relationships and interdependencies between each entity. For each stakeholder, the key issues are articulated, as are the reasons for those issues, and how they might be overcome. An integrated view is needed with all stakeholders represented through not only engagement but consultation and participation. The complexity of the system map should show the external environment; the meshed physical and logical network, inclusive of the triple helix; the third sector and others.

Gap 5: Emphasis on educating members of society about the dynamic cybersecurity landscape. As threat vectors continue to increase, so does the nature of challenges pertaining to AI in cybersecurity as an emergent context. This gap has much to do with raising cybersecurity awareness among the populace, but also has to do with capacity building so that people instinctively know how to detect that an email or an SMS or an action request is suspicious. This gap extends to misinformation and disinformation online where members of society need to be able to conduct some basic assessments to determine validity of a piece of content.

Gap 6: Lack of attention to capabilities development and maturity models in organizations. This gap predominantly requires that businesses, governments, and not-for-profits develop a capability maturity model that can be used as an investigative tool to support knowledge of a given process, and to support process improvement. The emphasis in this gap is in the configuration of capability maturity models in that they are made up of a designated set of elements that are structured and can be used to deliver on a security blueprint that directs organizations on how to improve their security capabilities.

Gap 7: Lack of emphasis on human-centricity, social securitization, and security exposures. Securitization of the person is fundamental at the macro, meso, and micro layers. For now, cybersecurity attacks aim to access personally identifiable information through unauthorized access. Attacks of the future will become increasingly sensitive (e.g., targeting implants), in addition to making use of behavioural analytics such as neurobiological processes through brain-to-computer interfaces [83]. Responding to such security exposures is at the heart of social securitization, human rights, dignity, and autonomy to counter human destabilization. This can take the form of disinformation campaigns on social media in the form of microtargeting members of the community [84].

Gap 8: Lack of regulatory and policy approaches and responses to cybersecurity issues. This gap focuses on the necessary support required for cybersecurity initiatives to govern emerging technologies such as artificial intelligence (e.g., legal vs unethical etc). Regulatory and policy sandboxes may be one approach to test solutions, enabling just-in-time responses to the pacing problem where advances in AI within the cybersecurity context outstrip the ability to defend against unknowns. This gap acknowledges that scenario planning can occur to consider ways forward, particularly in the context of autonomous cyber defence and AI security.

Gap 9: A process of socio-technical security design in conjunction with existing organizational cybersecurity practices. The gap promotes the need to go through a socio-technical security design process. Organizations should set security goals from the outset. After goals have been defined, an appropriate cybersecurity framework that aids in the continuous monitoring of mutual alignment between the social, technical, and environmental subsystems is required to maintain overall systems performance. The chosen framework is overlaid on top of existing cybersecurity practices in an organization.

Gap 10: Development of cybersecurity models, simulations, and scenarios in the context of socio-technical systems from a micro, meso, and macro perspective relevant to the organization/entity. The emphasis of this gap is on the need to conduct whole-of-systems modelling by better understanding the linkages between the micro, meso, and macro layers and the development of models that capture complexity through simulation. Approaches to the development of models must be multi-paradigmatic and multidisciplinary. This gap requires a diverse research community to work closely together to break down silos.

SECTION V.

Findings: A Socio-Technical Approach to Ai in Cybersecurity

To date, new ways with which to tackle the growing cybersecurity problem have been deliberated, and planned responses at the strategic level have been incorporated, e.g., at a variety of levels of government and education. The creation of the public interest technologist who is equipped with a multidisciplinary background to tackle emerging complex problems related to cybersecurity is beginning to gain some traction in the United States [85]. Beyond the emergence of a new transdisciplinary field of scholarship in public interest technology (PIT), and the creation of cybersecurity citizen “clinics” aligned with university core computer science curricula, industry must create opportunities for workers to demonstrate the value of adopting diverse frameworks, approaches, techniques, and methods from a variety of disciplines. Demand must grow as should the respect for people who can assist in the fulfilment of socio-technical systems design toward better cybersecurity solutions. This requires opportunities for relevant exchange and the supply of information about critical intersecting spaces, on job boards, at conferences, meetups and more. We could say PIT has emerged because of the need to have balance within the social, technical, and environmental subsystems.

Using a multi-paradigmatic approach, there are ways to better design socio-technical security systems. We distinguish here between socio-technical systems that require cybersecurity to be embedded as a non-functional requirement, socio-technical systems built to fulfil a cybersecurity systems function, and industry-specific and national cybersecurity strategies that securitize borders and citizens. While systems and entities should be considered within the contexts in which they have been conceived, the real scope for change in the field at large is in understanding the interrelationships and interdependencies not just horizontally across operations (e.g., supply chain, value chain, care chain), but vertically (i.e., macro, meso, micro). Malatji [23] provides a long list of socio-technical systems (STS) security controls mapped against what they term “capability domains,” that are defined as (1) organizational structure (functions); (2) actors; (3) technology (tools and resources); (4) and work activities (tasks) (reminiscent of Bostrom and Heinen’s [86] approach to analysing STS).

Fig. 6. Human to Non-Human Interaction.

We have discussed throughout the paper the importance of a balanced approach to social, technical, and environmental considerations in modern complex socio-technical systems where human actors, agents, and their corresponding relationships at the component level need to be mapped using a multi-stakeholder, multi-dimensional, multi-disciplinary, multi-paradigmatic approach toward interdisciplinarity and transdisciplinarity. No one paradigm has all the answers, but boundaries are still required as are stating underlying assumptions when aligning to a socio-technical systems cybersecurity framework. An overemphasis in one component of a singular subsystem will not result in better achievement of overall cybersecurity goals, but rather will come at the cost of another part of the sub-system that may well be prone to a socio-technical gap given the lack of attention. In fact, we make the claim it is “human and computer in the loop” that will best achieve an augmented capability [87].

As Wall [88] has stipulated, AI cannot oversee making the “hard decisions,” but it can be there to aid practitioners, professionals, policy makers and politicians through informed analysis drawing out key concepts and directions and assisting in making sense of gathered intelligence. The accountability of decision-making must always rest with the human on non-trivial matters [89]. Stevens [14] elaborates that AI algorithms spur on knowledge production through new modes and locales of cybersecurity that, in turn, trigger the formation of new hybrid assemblages between humans (actors) and non-humans (artefacts) (Fig. 6). But this is not to say that the introduction of AI-driven “anything” (e.g., anomaly detection) is not without its own tensions and subjectivities. While AI can better detect network and data activity flows, it is not a substitute for human cognition and can create political problems in the workplace [14]. Furthermore, Stevens writes that the “core modality of offence-defence dynamics in the grey zone, remains open to contestation” [14].

Awareness that the environmental subsystem cuts across the socio-technical subsystems is also important. External to the socio-technical system may well be pressures that impact the system as a whole, but many of these pressures are unpredictable. This unpredictability can be modelled using scenarios in multi-agent systems, if information can be gathered about the behaviours observed and fed back into the model [70]. A cybersecurity framework must be agile enough to incorporate feedback, but also work in conjunction with existing technological processes. Though we have stated the importance of the sociological/ psychological/ cultural, we restate that this must not come at the expense of the technological, nor at the expense of the regulations, policies, rules, and guidelines that govern a socio-technical system.

SECTION VI.

Roadmap

One of the challenges of studying AI in the field of cybersecurity is treating it as more than just an “artefact”. AI is not a single technology but an interrelated system of artefacts in the form of hardware and software, and the human actors who are both responsible for, and impacted by, its processes and outputs. As we anticipate the impact of AI will have in cybersecurity, a future roadmap based on a multidisciplinary perspective and relevant funding considerations becomes essential [51], [90].

From the social dimension, it is important to restate the role of the human actor in decision making [88] and ensure that the human is always over the loop in the cybersecurity lifecycle and corresponding processes [91]. From the technical dimension, there is a growing need to remove siloes, streamlining enterprise architectures and acknowledging technological convergence at multiple levels. It is also important to continually search for those internal and external sources of data stemming from machines and humans, on which to base decisions and develop proactive cybersecurity models for the prevention and detection of attacks. Evidence gathering becomes a catalyst for anticipating and plugging cybersecurity threats toward continual improvement through the adoption of scenario mapping techniques and use-case analysis. Additionally, there is a known lack of resources and support infrastructure with respect to cybersecurity. There is also a lack of consideration for end-users, as new tools and online services are introduced onto the market without the commensurate ability for users to receive adequate training on possible pitfalls [51], in addition to technological developments far outpacing the ability for the law to introduce timely consumer safeguards, among other practical solutions. Finally, the environmental dimension cannot be ignored as it is a “gray zone” and represented by entangled assemblages [14]. While this dimension is synonymous with laws and regulations, soft laws (i.e., technical standards and guidelines) [92] are increasingly having an enormous impact on how organizations address cybersecurity challenges, particularly in what is known as the Policy-Practice Pacing Problem [93].

Fig. 7. Multi-dimensional Response to AI in Cybersecurity.

Bringing these dimensions together within an ecosystem, we can use the lens of the co-evolutionary perspective to identify the role of stakeholders, the nature of the risk in the ecosystem and possible ways to address this risk [24] (Fig. 7). It is the meshed inter-relatedness, interdependencies and assemblages that are cyber/physical/social that matter, mapped out across various layers of the Open Systems Interconnection (OSI) stack but also from the micro to the macro levels. Cybersecurity ecosystems are extended to incorporate “ubiquitous digital ecosystems” [94] more broadly, which introduces yet more complexity [95]. A way forward is to be hopeful in the benefits of AI in cybersecurity optimization programs [23], but this in no way diminishes the responsibility of the human decision-maker. The path of “AI as part solution” together with “human at the helm” is also fraught with its own sets of risks, as either the human actor reverts to the AI to empower them, or the AI is riddled with a lack of data to power cybersecurity models and systems, or there is the phenomenon of internal bias with inconclusive results. Data visibility across the supply chain provides entities with near real-time data giving an organization the ability to make informed decisions on accurate up-to-date information that can make all the difference on cybersecurity readiness. Internal and external data sources become a form of intelligence, through the implementation of advanced monitoring tools, leveraging automation and enhanced data integration across systems, in order to launch cybersecurity offensives using predictive capabilities based on AI (that were previously non-existent) to anticipate attacks and respond accordingly upon pattern recognition.

It is also important to attract a larger and more diverse pool of researchers into the cybersecurity field where philosophers, anthropologists, sociologists, and psychologists are engaged with how to better broach the bigger cybersecurity threats affecting our society at the macro, meso, and micro levels. Organizations must hire professionals who are able to approach the existing cybersecurity issues that have plagued us for the last decade in new ways, and who are able to deal with the emergent threats that are yet to be measured, as well as those that to an extent are still unknown, even to specialists in the field. This will not happen if we continue to engage the same scholars, with the same methodologies, and the same underlying motivations. How can we get more transdisciplinary teams working together where each member of the research team feels equally valued to contribute? The roadmap may, for example, encourage this transdisciplinarity by requiring certain types of backgrounds to fill different parts of a research problem described in a grant application, or come together to devise an innovative whole national systems approach to cybersecurity. In addition, publishing outcomes in transdisciplinary journal outlets, and engaging publics, government agencies, the third sector and small-to-medium industries in popular news, policy and trade publications may be useful. Also ensuring that applicants are diverse in background and not just focusing on disciplinary types is a necessity.

Fig. 8. Five Key Recommendations: A Future Roadmap.

Funding opportunities for research within national science foundations, research councils and institutes allow for specific areas of investigation with respect to the use of AI in cybersecurity. The more money that is poured into research and development (R&D) programs providing opportunities to engage researchers from across sectors and across disciplines the better the expected outcomes. Samtani et al. [51] for example, single out the opportunities provided by the National Science Foundation (NSF) to support AI for cybersecurity research and education programs. They identify five funding types include: (1) early career status, (2) infrastructure-oriented, (3) core research, (4) transition to practice and (5) education-oriented. Over half the funding opportunities ranging from individual awards from 175K to 5M USD are listed as being “cross-cutting” with respect to the handling directorate and division, demonstrating that the United States emphasizes interdisciplinary and transdisciplinary research. Horizon EU similarly has major initiatives for Europe acknowledging the offensive and defensive role that AI plays in cybersecurity but also how AI can be used for cybersecurity reinforcement [96]. So committed are the European Union, that they have announced an investment of 1 billion Euro per year in AI for a decade [97], some of this incorporating its application to cybersecurity [98], propelled by the introduction of the EU AI Act. Equally, governments must set aside support for industry creating innovative ways to combat cybersecurity threats through the application of AI, and support schools and colleges toward the development of economic information infrastructures surrounding cybersecurity. But most of all, citizen approaches are vital to shift the cybersecurity mindset and build capacity. Here the roadmap must highlight the need to raise awareness at the local level through the creation of programs at local libraries and other meeting spaces within a municipality.

The initial phase of the roadmap in the first five years is to conduct public engagement with citizens around cybersecurity issues and the coming transformations from AI, inclusive of other sectors of society. The second phase of the roadmap is to target funders toward the generation of new multi/trans-disciplinary knowledge with respect to the changing cybersecurity paradigm, using a socio-technical framing. The third phase of the roadmap is to bring together members of the cybersecurity ecosystem and to define relationships and interdependencies with a long-term view of systems redesign and redevelopment, inclusive of the implementation of tools, techniques and methods, necessary standards and regulations, in addition to other resources.

SECTION VII.

Conclusion, Recommendations and Limitations

Five recommendations are put forward to be satisfied over a ten-year horizon; these activities can be done in parallel approaches. The recommendations cover every level from micro to macro within the cybersecurity landscape, a means to create a cybersecurity socio-technical lifecycle framework for continuous improvement, in order to anticipate future AI-based uses to attack and defend network boundaries. These five recommendations form the basis of a socio-technical approach to AI-enabled cybersecurity (figure 8).

  1. Define and develop capacity building activities for citizens/ consumers / employees/ volunteers to institute a cybersecurity mindset that is empirically operationalized [64]. Through active citizenship and guiding policy, create a set of concrete habits, values and attitudes that can be embraced by Internet users, and deal with the complexity of cyberspace [99], [100].

  2. Design and develop a socio-technical systems cybersecurity capability’s maturity model in the context of AI in cybersecurity that works in conjunction with existing cybersecurity frameworks (e.g., [101]), and can be applied to any workplace or context. Where there are known vulnerabilities and anticipated cybersecurity threats resulting from AI, the socio-technical gaps can be treated by using existing information and solutions [23].

  3. Identify and explain the subsystems and their relationships, at the macro-social level (national, intergovernmental, and societal dimensionality level boundaries), meso level (trans-organizational supply chain and corresponding linkages), and at the micro level (elements/components and their respective interconnected interfaces). As Griffith and Dougherty [67] point out: “Can we build a broad socio-technical theory that explains the linkages at so many levels and/or for so many technology issues, or are there different kinds of socio-technical connections that require different theories?” The hope in this phase of the cycle is to move theory and research toward explication so that it may be more clearly relevant to practice.

  4. Develop operationalization methods to bridge the gap between theory, industry standards, and application; principles and action; security requirements and specifications within a given layer of inquiry [15], [102]. In this recommendation we suggest security mechanisms (in whatever form suits an organization or entity’s existing practices) to satisfy security goals that are critical to one or more socio-technical system.

  5. Conduct ongoing security analysis and design to gain more information about existing and future AI in cybersecurity threats which are rapidly evolving given the recent rise of Large Language Models (LLMs) and Generative AI. Security patterns should be identified and reused to address security problems, or socio-technical gaps and security models can be created and in turn we can embed these patterns using agents in anticipation of security breaches to understand plausible cyber, physical, and social responses and their measured effectiveness [59].

In this way we may forge ahead by defining and developing capacity building activities and strategies for stakeholders in the AI-Cybersecurity Ecosystem. Then design and develop a socio-technical systems AI-cybersecurity capability’s maturity model that will help us measure where various stakeholders are in terms of cybersecurity mindset engagement and more. The multilevel perspective here is paramount. By studying the subsystems at various levels, it becomes apparent that a whole-of-practice socio-technical approach is required. Importantly, we need to know where to begin to define these subsystems, the interconnections between systems, and then we need to map the component-level details at each level and how things will work toward the discovery of operationalization methods. Finally, there is an ongoing requirement to scan the landscape for emergent threats, attempting to identify existing patterns that can be used in agent-based models to anticipate the types of security breaches that are possible, toward continual improvement of cybersecurity defences against AI or any other emergent social, technical, or environmental event or impact.

The limitations of this study can also be considered future research. While the strategy adopted in this paper has suggested a multi-level “AI in cybersecurity” analysis at a macro to micro level, none of the findings are prescriptive and detailed enough in demonstrating the operationalization of the socio-technical framing. A multi-stakeholder risk assessment should be conducted in context, granting visibility to better understand the dynamic forces at play. Of course, stakeholders in the cybersecurity ecosystem have their own lifecycles, processes, and security policies to address the advent of AI as an emergent technology and corresponding threat or opportunity. However, some stakeholders would be mapping their strengths and weaknesses without acknowledgement of the wider cybersecurity ecosystem at large which is highly meshed and entangled; a vulnerability in one interdependency in the supply chain causing a ripple effect up and down the chain. A more robust strategy underlying this work is one where collaborative design (co-design) is used to supplement socio-technical innovation which historically has undergone almost parallel growth with cybersecurity paradigms. Thus a greater exploration could be made at the intersection of boundaries between disciplines and sectors, between levels (macro, meso, micro), and between stakeholders in order to better understand new innovations that might further support individual, local, organizational, national, and even international cybersecurity strategies. This might well begin with an emphasis on values as related with risk mitigation techniques toward the continuous improvement of cybersecurity frameworks toward standardization.

ACKNOWLEDGMENT

The authors would like to thank Terri Bookman for her editorial assistance and the anonymous reviewers who provided excellent feedback to the manuscript during the review process.

References


1.
( Cyber Manag., London, U.K.).,, Recent Cyber Attacks, Data Breaches & Ransomware Attacks, Feb. 2023. [Online]. Available: https://www.cm-alliance.com/cybersecurity-blog/recent-cyber-attacks-data-breaches-ransomware-attacks-november-2022

2. A. Tyas Tunggal, “The 68 biggest data breaches.,” Dec. 2022. [Online]. Available: https://www.upguard.com/blog/biggest-data-breaches

3. Y. Apolo and K. Michael, “Beyond a reasonable doubt? Audiovisual evidence, AI manipulation, deepfakes, and the law,” IEEE Trans. Technol. Soc., vol. 5, no. 2, pp. 156–168, Jun. 2024, doi: 10.1109/TTS.2024.3427816.

4. D. Kolevski, K. Michael, R. Abbas, and M. Freeman, “Cloud data breach disclosures: The consumer and their personally identifiable information (PII)?,” in Proc. IEEE Conf. Norbert Wiener 21st Century (21CW), 2021, pp. 1–9, doi: 10.1109/21CW48944.2021.9532579.

5. T. Bonaci, K. Michael, P. Rivas, L. J. Robertson, and M. Zimmer, “Emerging technologies, evolving threats: Next-generation security challenges,” IEEE Trans. Technol. Soc., vol. 3, no. 3, pp. 155–162, Sep. 2022, doi: 10.1109/TTS.2022.3202323.

6. I. Agrafiotis, J. R. C. Nurse, M. Goldsmith, S. Creese, and D. Upton, “A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate,” J. Cybersecur., vol. 4, no. 1, 2018, Art. no. tyy006. [Online]. Available: https://doi.org/10.1093/cybsec/tyy006

7. D. Kolevski and K. Michael, “Edge computing and IoT data breaches: Security, privacy, trust, and regulation,” IEEE Technol. Soc. Mag., vol. 43, no. 1, pp. 22–32, Mar. 2024, doi: 10.1109/MTS.2024.3372605.

8. C. B. Smith, “The semantic attack surface: A systems-dynamic model of narrative in cyberspace,” IEEE Trans. Technol. Soc., vol. 4, no. 2, pp. 146–157, Jun. 2023, doi: 10.1109/TTS.2022.321078.

9. S. Alkire, “A conceptual framework for human security,” Dept. Int. Develop., Univ. Oxford, Oxford, U.K., Working Paper, 2003. [Online]. Available: https://assets.publishing.service.gov.uk/media/57a08cf740f0b652dd001 694/wp2.pdf

10. M. Bada and J. R. C. Nurse, “The social and psychological impact of cyberattacks,” in Emerging Cyber Threats and Cognitive Vulnerabilities, V. Benson and J. Mcalaney, Eds., Cambridge, MA, USA : Academic, 2020, pp. 73–92. [Online]. Available: https://doi.org/10.1016/B978-0-12-816203-3.00004-6

11. M. Taddeo, P. Jones, R. Abbas, K. Vogel, and K. Michael, “Special issue on socio-technical ecosystem considerations: An emergent research agenda for AI in cybersecurity,” IEEE Trans. Technol. Soc., vol. 4, no. 2, pp. 1–194, Jun. 2023. [Online]. Available: https://ieeexplore.ieee.org/xpl/tocresult.jsp?isnumber=10153436&punumber=8566059

12. H. Ueno, “Artificial intelligence as dual-use technology,” in Fusion of Machine Learning Paradigms (Intelligent Systems Reference Library), vol. 236, I. K. Hatzilygeroudis, G. A. Tsihrintzis, and L. C. Jain, Eds., Cham, Switzerland : Springer, 2023. [Online]. Available: https://doi.org/10.1007/978-3-031-22371-6_2

13. ( Interact. Design Found., Aarhus, Denmark ).,, What are Socio-Technical Systems?. Accessed: Sep. 9, 2024. [Online]. Available: https://www.interaction-design.org/literature/topics/socio-technical-systems

14. T. Stevens, “Knowledge in the grey zone: AI and cybersecurity,” Digit. War, vol. 1, pp. 164–170, Dec. 2020. [Online]. Available: https://doi.org/10.1057/s42984-020-00007-w

15. R. Abbas and K. Michael, “Socio-technical theory: A review,” in TheoryHub Book, S. Papagiannidis, Ed., Tyne, U.K. : Newcastle Univ., 2022. [Online]. Available: http://open.ncl.ac.uk.978-1-7396044-0-0

16. S. H. Appelbaum, “Socio-technical systems theory: An intervention strategy for organizational development,” Manag. Decision, vol. 35, no. 6, pp. 452–463, 1997. [Online]. Available: https://doi.org/10.1108/00251749710173823

17. P. Carayon, “Advancing a sociotechnical systems approach to workplace safety—Developing the conceptual framework,” Ergonomics, vol. 58, no. 4, pp. 548–564, 2015. [Online]. Available: https://doi.org/10.1080/00140139.2015.1015623

18. M. C. Davis, R. Challenger, D. N. W. Jayewardene, and C. W. Clegg, “Advancing socio-technical systems thinking: A call for bravery,” Appl. Ergon., vol. 45, no. 2, pp. 171–180, 2014. [Online]. Available: https://doi.org/10.1016/j.apergo.2013.02.009

19. K. Dopfer, J. Foster, and J. Potts, “Micro-meso-macro,” J. Evol. Econ., vol. 14, pp. 263–279, Jul. 2004. [Online] Available: https://doi.org/10.1007/s00191-004-0193-0

20. A. Blackstone, “2.1 micro meso and macro approaches,” in Principles of Sociological Inquiry: Qualitative and Quantitative Methods, Washington, DC, USA : Saylor Acad., 2012. [Online] Available: https://saylordotorg.github.io/text_principles-of-sociological-inquiry-qualitative-and-quantitative-methods/s05-01-micro-meso-and-macro- approache.html

21. D. Schiff, A. Ayesh, L. Musikanski, and J. C. Havens, “IEEE 7010: A new standard for assessing the well-being implications of artificial intelligence,” in Proc. IEEE Int. Conf. Syst., Man, Cybern. (SMC), Toronto, ON, Canada, 2020, pp. 2746–2753, doi: 10.1109/SMC42975.2020.9283454.

22. C. Hoon, “Meta-synthesis of qualitative case studies: An approach to theory building,” Organ. Res. Methods, vol. 16, no. 4, pp. 522–556, Apr. 2013, doi: 10.1177/109442811348496.

23. M. Malatji, S. Von Solms, and A. Marnewick, “Socio-technical systems cybersecurity framework,” Inf. Comput. Secur., vol. 27 no. 2, pp. 233–272, 2019. [Online]. Available: https://doi.org/10.1108/ICS-03-2018-0031

24. T. Islam, “A socio-technical and co-evolutionary framework for reducing human-related risks in cyber security and cybercrime ecosystems,” in Proc. 5th Int. Conf. Dependability Sens., Cloud, Big Data Syst. Appl., 2019, pp. 277–293. [Online]. Available: https://doi.org/10.1007/978-981-15-1304-6_22

25. M. Sewak, S. K. Sahay, and H. Rathore, “Deep reinforcement learning for cybersecurity threat detection and protection: A review,” 2022, arXiv:2206.02733.

26. T. T. Nguyen and V. J. Reddi, “Deep reinforcement learning for cyber security,” Nov. 2021, arXiv:1906.05799.

27. J. Kinyua and L. Awuah, “AI/ML in security orchestration, automation and response: Future research directions,” Intell. Autom. Soft Comput., vol. 28, no. 2, pp. 527–545, 2021. [Online]. Available: https://doi.org/10.32604/iasc.2021.016240

28. B. Prébot, Y. Du, X. Xi, and C. Gonzalez, “Cognitive models of dynamic decisions in autonomous intelligent cyber defense,” in Proc. Int. Conf. Auton. Intell. Cyber-Def. Agents, 2022, pp. 1–13. [Online]. Available: https://www.researchgate.net/publication/364965185_Cognitive_ Models_of_Dynamic_Decisions_in_Autonomous_Intelligent_Cyber _Defense

29. A. Piplai, M. Anoruo, K. Fasaye, A. Joshi, T. Finin, and A. Ridley, “Knowledge guided two-player reinforcement learning for cyber attacks and defenses,” in Proc. Int. Conf. Mach. Learn. Appl., 2022, pp. 1342–1349. [Online]. Available: https://ebiquity.umbc.edu/_file_directory_/papers/1173.pdf

30. Z. Jin, S. Zhang, Y. Hu, Y. Zhang, and C. Sun, “Security state estimation for cyber-physical systems against DoS attacks via reinforcement learning and game theory,” Actuators, vol. 11, no. 7, p. 192, 2022. [Online]. Available: https://doi.org/10.3390/act11070192

31. H. Jiang, T. Choi, and R. K. L. Ko, “Pandora: A cyber range environment for the safe testing and deployment of autonomous cyber attack tools,” 2020, arXiv:2009.11484.

32. R. Silva, C. Hickert, N. Sarfaraz, J. Brush, J. Silbermann, and T. Sookoor, “AlphaSOC: Reinforcement learning-based cybersecurity automation for cyber-physical system,” in Proc. ACM/IEEE 13th Int. Conf. Cyber-Phys. Syst. (ICCPS), 2022, pp. 290–291. [Online]. Available: https://conferences.computer.org/cpsiot/pdfs/ICCPS2022-ifhdJu28kaMK8qGYbf7d0/096700a290/096700a290.pdf

33. A. Applebaum, “Bridging automated to autonomous cyber defense: Foundational analysis of tabular Q-learning,” in Proc. 15th ACM Workshop Artif. Intell. Secur., 2022, pp. 149–159. [Online]. Available: https://doi.org/10.1145/3560830.3563732

34. M. Wolk, “Beyond CAGE: Investigating generalization of learned autonomous network defense policies,” 2022, arXiv:2211.15557.

35. A. M. K. Adawadkar and N. Kulkarni, “Cyber-security and reinforcement learning—A brief survey,” Eng. Appl. Artif. Intell., vol. 114, Sep. 2022, Art. no. 105116. [Online]. Available: https://doi.org/10.1016/j.engappai.2022.105116

36. V. D. Veksler, N. Buchler, C. G. LaFleur, M. S. Yu, C. Lebiere, and C. Gonzalez, “Cognitive models in cybersecurity: Learning from expert analysts and predicting attacker behavior,” Front Psychol., vol. 11, p. 1049, Jun. 2020, doi: 10.3389/fpsyg.2020.0104.

37. R. Meier, A. Lavrenovs, K. Heinäaro, L. Gambazzi, and V. Lenders, “Towards an AI-powered player in cyber defence exercises,” in Proc. 13th Int. Conf. Cyber Confl., 2022, pp. 309–326. [Online]. Available: https://nsg.ee.ethz.ch/fileadmin/user_upload/publications/roland-meier_ai-team_cycon21.pdf

38. M. Standen, M. Lucas, D. Bowman, T. J. Richer, J. Kim, and D. Marriott, “CybORG: A gym for the development of autonomous cyber agents,” 2021, arXiv:2108.09118.

39. J. Collyer, A. Andrew, and D. Hodges, “ACD-G: Enhancing autonomous cyber defense agent generalization through graph embedded network representation,” in Proc. 39th Int. Conf. Mach. Learn., 2022, pp. 1–10. [Online]. Available: https://dspace.lib.cranfield.ac.uk/bitstream/handle/1826/18288/ACD-G-Enhancing_autonomous_cyber_defense-2022.pdf?sequence=1

40. B. Buchanan ( Center Secur. Emerg. Technol., Washington, DC, USA ).,, A National Security Research Agenda for Cybersecurity and Artificial Intelligence: CSET Issue Brief. May 2020. [Online]. Available: https://cset.georgetown.edu/wp-content/uploads/CSET-A-National-Security-Research-Agenda-for-Cybersecurity-and-Artificial-Intelligence.pdf

41. W. Hoffman ( Center Secur. Emerg. Technol., Washington, DC, USA ).,, Making AI Work for Cyber Defense. Dec. 2021. [Online]. Available: https://cset.georgetown.edu/publication/making-ai-work-for-cyber-defense/

42. R. K. L. Ko, “Cyber Autonomy: Automating the hacker–Self-healing, self-adaptive, automatic cyber defense systems and their impact to the industry, society and national security,” Dec. 2020. {} arXiv:2012.04405.

43. A. Lohn ( Center Secur. Emerg. Technol., Washington, DC, USA ).,, Andrew Lohn's Testimony Before the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, Jun. 2022. [Online]. Available: https://cset.georgetown.edu/publication/andrew-lohns-testimony-before-the-house-homeland-security-subcommittee-on-cybersecurity- infrastructure-protection-and-innovation/

44. A. Burke, “Robust artificial intelligence for active cyber defence.,” Mar. 2020. [Online]. Available: https://www.turing.ac.uk/sites/default/files/2020-08/public_ai_acd_techreport_final.pdf

45. L. Chan, “Survey of AI in cybersecurity for information technology management,” in Proc. IEEE Technol. Eng. Manag. Conf. (TEMSCON), Atlanta, GA, USA, 2019, pp. 1–8, doi: 10.1109/TEMSCON.2019.8813605.

46. M. Hofstetter, R. Riedl, T. Gees, A. Koumpis, and T. Schaberreiter, “Applications of AI in cybersecurity,” in Proc. 2nd Int. Conf. Transdiscip. AI (TransAI), Irvine, CA, USA, 2020, pp. 138–141, doi: 10.1109/TransAI49837.2020.00031.

47. G. J. Mwakalinga and S. Kowalski, “Modelling the enemies of an IT security system—A socio-technical system security model,” in Proc. 2nd Int. Multi-Conf. Complex., Informat. Cybern., 2011, {} pp. 251–256.

48. J. M. Bauer and W. H. Dutton, “The new cybersecurity agenda: Economic and social challenges to a secure internet: World development report 2016 digital dividends,” World Bank Group, Washington, DC, USA, Working Paper, 2016. [Online]. Available: https://openknowledge.worldbank.org/handle/10986/7735

49. K. Michael, R. Abbas, J. Pitt, K. Vogel, and M. Zafeirakopoulos, “Securitization for sustainability of people and place,” IEEE Technol. Soc. Mag., vol. 42, no. 2, pp. 22–28, Jun. 2023, doi: 10.1109/MTS.2023.328382.

50. J. R. Schoenherr, R. Abbas, K. Michael, P. Rivas, and T. D. Anderson, “Designing AI using a human-centered approach: Explainability and accuracy toward trustworthiness,” IEEE Trans. Technol. Soc., vol. 4, no. 1, pp. 9–23, Mar. 2023, doi: 10.1109/TTS.2023.3257627.

51. S. Samtani, M. Kantarcioglu, and H. Chen, “Trailblazing the artificial intelligence for cybersecurity discipline: A multi-disciplinary research roadmap,” ACM Trans. Manag. Inf. Syst., vol. 11, no. 4, pp. 1–19, 2020. [Online]. Available: https://doi.org/10.1145/3430360

52. G. Dhillon and J. Backhouse, “Technical opinion: Information system security management in the new millennium,” Commun. ACM, vol. 43, no. 7, pp. 125–128, 2000. [Online]. Available: https://doi.org/10.1145/341852.341877

53. N. Dhanjani, B. Rios, and B. Hardin, Hacking: The Next Generation. Newton, MA, USA ; O'Reilly Media, 2009.

54. G. Dhillon and J. Backhouse, “Current directions in IS security research: Towards socio-organizational perspectives,” Inf. Syst. J., vol. 11, no. 2, pp. 127–153, 2001. [Online]. Available: https://doi.org/10.1046/j.1365-2575.2001.00099.x

55. G. Dhillon, Principles of Information Systems Security: Text and Cases, Hoboken, NJ, USA : Wiley. 2007.

56. M. Bishop, Introduction to Computer Security. Boston, MA, USA : Addison-Wesley, 2005.

57. S. Samonas and D. Coss, “The CIA strikes back: Redefining confidentiality, integrity and availability in security,” J. Inf. Syst. Secur., vol. 10, no. 3, pp. 21–45, 2014.

58. T. Kayworth and D. Whitten, “Effective information security requires a balance of social and technology factors,” MIS Quart. Exec., vol. 9, no. 3, pp. 2012–52, 2010. [Online]. Available: https://aisel.aisnet.org/misqe/vol9/iss3/5

59. T. Li, J. Horkoff, and J. Mylopoulos, “Holistic security requirements analysis for socio-technical systems,” Softw. Syst. Model., vol. 17, no. 4, pp. 1253–1285, 2018. [Online]. Available: https://doi.org/10.1007/s10270-016-0560-y

60. M. Hodson and S. Marvin, “Can cities shape socio-technical transitions and how would we know if they were?,” Res. Policy, vol. 39, no. 4, pp. 477–485, 2010. [Online]. Available: https://doi.org/10.1016/j.respol.2010.01.020

61. D. L. Farber and M. Pietrucha, “A Socio-technical analysis of interdependent infrastructures among the built environment, energy, and transportation systems at the navy yard and the philadelphia metropolitan region,” Int. Symp. Next Gener. Infrastruct. Conf., 2014, pp. 151–156. [Online]. Available: http://www.ucl.ac.uk/steapp/isngi/proceedings

62. P. P. Y. Wu, C. Fookes, J. Pitchforth, and K. Mengersen, “A framework for model integration and holistic modelling of socio-technical systems,” Decision Support Syst., vol. 71, pp. 14–27, Mar. 2015. [Online]. Available: https://doi.org/10.1016/j.dss.2015.01.006

63. V. Zimmermann and K. Renaud, “Moving from a `human-as-problem' to a `human-as-solution' cybersecurity mindset,” Int. J. Human-Comput. Stud., vol. 131, pp. 169–187, Nov. 2019. [Online]. Available: https://doi.org/10.1016/j.ijhcs.2019.05.005

64. B. Dupont, “Cybersecurity futures: How can we regulate emergent risks?,” Technol. Innov. Manag. Rev., vol. 3, no. 7, pp. 6–11, 2013. [Online]. Available: https://doi.org/10.22215/timreview/700

65. E. Paja, F. Dalpiaz, and P. Giorgini, “Managing security requirements conflicts in socio-technical systems,” in Conceptual Modeling W. Ng, V. C. Storey, and J. C. Trujillo, Eds., Berlin, Germany : Springer, Nov. 2013. [Online]. Available: https://doi.org/10.1007/978-3-642-41924-9_23

66. M. Mujinga, M. M. Eloff, and J. H. H. Kroeze, “A socio-technical approach to information security,” in Proc. AMCIS, 2017, pp. 1–10. [Online]. Available: https://aisel.aisnet.org/amcis2017/SocialTechincal/Presentations/10

67. T. L. Griffith and D. J. Dougherty, “Beyond socio-technical systems: introduction to the special issue,” J. Eng. Technol. Manag., vol. 18, nos. 3–4, pp. 207–218, 2001. [Online]. Available: https://doi.org/10.1016/S0923-4748(01)00034-0

68. E. M. Rogers, Diffusion of Innovations, 4th ed. New York, NY, USA : Free Press, 1995.

69. P. Susan and R. J. Mykletun, “Ageing workforce knowledge management and transactional and transformational leadership: A socio-technical systems framework and a Norwegian case study,” Int. J. Bus. Soc. Sci., vol. 5, no. 5, pp. 11–21, 2014. [Online]. Available: https://doi.org/10.30845/ijbss

70. D. Worm, D. Langley, and J. Becker, “Modeling interdependent socio-technical networks: The smart grid—An agent-based modeling approach,” in Simulation and Modeling Methodologies, Technologies and Applications (Advances in Intelligent Systems and Computing), vol. 319, M. S. Obaidat, S. Koziel, J. Kacprzyk, L. Leifsson, and T. Ören, Eds., Cham, Heidelberg : Springer, 2015. [Online]. Available: https://doi.org/10.1007/978-3-319-11457-6_6

71. S. O. Johnsen and M. Veen, “Risk assessment and resilience of critical communication infrastructure in railways,” Cogn., Technol. Work, vol. 15, pp. 95–107, Feb. 2013. [Online]. Available: https://doi.org/10.1007/s10111-011-0187-2

72. R. I. Beekun, “Assessing the effectiveness of sociotechnical interventions: Antidote or fad?,” Human Relat., vol. 42, no. 10, pp. 877–897, 1989. [Online]. Available: https://doi.org/10.1177/001872678904201002

73. G. Dhillon and J. Backhouse, “Risks in the use of information technology within organizations,” Int. J. Inf. Manag., vol. 16, no. 1, pp. 65–74, 1996. [Online]. Available: https://doi.org/10.1016/0268-4012(95)00062-3

74. F. P. B. Osinga, Science, Strategy and War: The Strategic Theory of John Boyd. London, U.K. : Routledge, 2007.

75. M. Kianpour, S. J. Kowalski, and H. Øverby, “Systematically understanding cybersecurity economics: A survey,” Sustainability, vol. 13, no. 24, 2021, Art. no. 13677. [Online]. Available: https://doi.org/10.3390/su132413677

76. K. Michael, R. Abbas, and G. Roussos, “AI in cybersecurity: The paradox,” IEEE Trans. Technol. Soc., vol. 4, no. 2, pp. 104–109, Jun. 2023, doi: 10.1109/TTS.2023.3280109.

77. P. Cihon, M. M. Maas, and L. Kemp, “Fragmentation and the future: Investigating architectures for international AI governance,” Global Policy, vol. 11, no. 5, pp. 545–556, 2020.

78. M. Minkkinen and M. Mäntymäki, “Discerning between the `easy' and `hard' problems of AI governance,” IEEE Trans. Technol. Soc., vol. 4, no. 2, pp. 188–194, Jun. 2023, doi: 10.1109/TTS.2023.3267382.

79. S. Zeadally, E. Adi, Z. Baig, and I. A. Khan, “Harnessing artificial intelligence capabilities to improve cybersecurity,” IEEE Access, vol. 8, pp. 23817–23837, 2020, doi: 10.1109/ACCESS.2020.296804.

80. W.R. B. Gibson, “The ethics of Nicolai Hartmann. I,” Australas. J. Psychol. Philos., vol. 11, no. 1, pp. 12–28, 1933, doi: 10.1080/0004840330854099.

81. F. Xu, K. Michael, and X. Chen, “Factors affecting privacy disclosure on social network sites: An integrated model,” Electron. Comm. Res., vol. 13, pp. 151–168, May 2013.

82. K. Michael, S. Kobran, R. Abbas, and S. Hamdoun, “Privacy, data rights and cybersecurity: Technology for good in the achievement of sustainable development goals,” in Proc. IEEE Int. Symp. Technol. Soc. (ISTAS), 2019, pp. 1–13.

83. L. N. Tournas and W. G. Johnson, “Regulating brain–computer interfaces: Ensuring soft law does not go flat,” IEEE Trans. Technol. Soc., vol. 4, no. 2, pp. 119–124, Jun. 2023, doi: 10.1109/TTS.2022.3208821.

84. K. Michael, “Bots trending now: Disinformation and calculated manipulation of the masses {[}editorial{]},” IEEE Technol. Soc. Mag., vol. 36, no. 2, pp. 6–11, Jun. 2017, doi: 10.1109/MTS.2017.2697067.

85. B. Schneier, “Cybersecurity for the public interest,” IEEE Security Privacy. Jan./Feb. 2019. [Online]. Available: https://www.schneier.com/essays/archives/2019/02/public-interest_tech.html

86. R. P. Bostrom and J. S. Heinen, “MIS problems and failures: A socio-technical perspective. Part I: The causes,” MIS Quart., vol. 1, no. 3, pp. 17–32, 1977. [Online]. Available: https://doi.org/10.2307/248710

87. R. Clarke, “The re-conception of AI: Beyond artificial, and beyond intelligence,” IEEE Trans. Technol. Soc., vol. 4, no. 1, pp. 24–33, Mar. 2023. [Online]. Available: https://doi.org/10.1109/TTS.2023.3234051

88. D. S. Wall, “The challenges of socio-technical AI systems: From a criminological perspective,” in Proc. STAIDCC Workshop, 2020, pp. 1–2. [Online]. Available: https://www.southampton.ac.uk/~sem03/STAIDCC20_wall_paper_07_07_2020.pdf

89. IEEE CertifAIEd™: The mark of AI ethics.,” 2024. [Online]. Available: https://engagestandards.ieee.org/ieeecertifaied.html

90. M. Taddeo, P. Jones, R. Abbas, K. Vogel, and K. Michael, “Socio-technical ecosystem considerations: An emergent research agenda for AI in cybersecurity,” IEEE Trans. Technol. Soc., June, vol. 4, no. 2, pp. 112–118, Jun. 2023, doi: 10.1109/TTS.2023.3278908.

91. S. E. Middleton, A. Lavorgna, and R. McAlister, “STAIDCC20: 1st international workshop on socio-technical AI systems for defence, cybercrime and cybersecurity,” in Proc. 12th ACM Conf. Web Sci. Companion, 2020, pp. 78–79. [Online]. Available: https://doi.org/10.1145/3394332.3402897

92. K. Michael, “Mitigating risk and ensuring human flourishing using design standards: IEEE 2089-2021 an age appropriate digital services framework for children,” IEEE Trans. Technol. Soc., to be published, doi: 10.1109/TTS.2024.3453396.

93. K. Michael, J. R. Schoenherr, and K. M. Vogel, “Failures in the loop: Human leadership in AI-based decision-making,” IEEE Trans. Technol. Soc., vol. 5, no. 1, pp. 2–13, Mar. 2024, doi: 10.1109/TTS.2024.3378587.

94. K. Carillo, E. Scornavacca, and S. Za, “The role of media dependency in predicting continuance intention to use ubiquitous media systems,” Inf. Manag., vol. 54, no. 3, pp. 317–335, 2017. [Online]. Available: https://doi.org/10.1016/j.im.2016.09.002

95. ( Nat. Cyber Secur. Centre, London, U.K.).,, Sociotechnical Security Group Problem Book: An outline of the StSG's future research in Cybersecurity. 2020. [Online]. Available: https://www.ncsc.gov.uk/blog-post/a-sociotechnical-approach-to-cyber-security#problem-book

96. ( El Centro de Documentación Europea de la Universidad de Almería, Almerìa, Spain ).,, Horizon Europe: AI for Cybersecurity Reinforcement. Jul. 2021. [Online]. Available: https://www.cde.ual.es/en/horizon-europe-ai-for-cybersecurity-reinforcement/

97. ( Eur. Comm.,Brussels, Belgium ).,, European Approach to Artificial Intelligence. Sep. 2024. [Online]. Available: https://digital-strategy.ec.europa.eu/en/policies/european-approach-artificial-intelligence

98. ( Eur. Comm., Brussels, Belgium ).,, Increased Cybersecurity. 2024. [Online]. Available: https://rea.ec.europa.eu/funding-and-grants/horizon-europe-cluster-3-civil-security-society/increased-cybersecurity_en

99. ( IEEE Stand. Assoc., Piscataway, NJ, USA ).,, IEEE Launches New Standard to Address Ethical Concerns During Systems Design,'' Sep. 2021. [Online]. Available: https://standards.ieee.org/news/ieee-7000/

100. S. Spiekermann, and T. Winkler, “Value-based engineering for ethics by design.,” Accessed: May 12, 2020. [Online]. Available: http://dx.doi.org/10.2139/ssrn.3598911

101. ( Nat. Inst. Stand. Technol., Gaithersburg, MA, USA ).,, Framework for Improving Critical Infrastructure Cybersecurity, Draft Version 1.1. 2017. [Online]. Available: https://www.nist.gov/sites/default/files/documents////draft-cybersecurity-framework-v1.11.pdf

102. C. Sanderson, “AI ethics principles in practice: Perspectives of designers and developers,” IEEE Trans. Technol. Soc., vol. 4, no. 2, pp. 171–187, Jun. 2023, doi: 10.1109/TTS.2023.3257303.

103. R. Abbas, K. Michael, J. Pitt, K. M. Vogel, and M. Zafeirakopoulos ( Alan Turing Inst., London, U.K.).,, Artificial Intelligence (AI) in Cybersecurity: A Socio-Technical Research Roadmap. 2023. https://www.turing.ac.uk/news/publications/artificial-intelligence-ai-cybersecurity-socio-technical-research-roadmap

Authors

Katina Michael

School for the Future of Innovation in Society and the School of Computing and Augmented Intelligence, Arizona State University, Tempe, AZ, USA

Katina Michael (Senior Member, IEEE) recited the Ph.D. degree. She is a Professor with Arizona State University (ASU) and a Senior Global Futures Scientist with the Global Futures Laboratory. At ASU, she has a joint appointment with the School for the Future of Innovation in Society and the School of Computing and Augmented Intelligence. Prior to academia, she was employed with Nortel Networks, Anderson Consulting, and OTIS Elevator Company. Her research focuses on the social implications of emerging technologies. She was responsible for establishing the Human Factors Series in the Research Network for a Secure Australia from 2005 to 2009, was an External Member of the Centre of Excellence in Policing and Security from 2009 to 2013, and ran the Social Implications of National Security workshops from 2006 to 2022. Since 2021, she has advised DARPA on matters pertaining to ethics, law, and societal implications of complex socio-technical systems. She has been funded by the National Science Foundation, the Canadian Social Sciences and Humanities Research Council, and the Australian Research Council. She is the Director of the Society Policy Engineering Collective and the Founding Editor-in-Chief of the IEEE Transactions on Technology and Society, and was formerly the Editor-in-Chief of the IEEE Technology and Society Magazine and an Editor of Computers and Security. She is the Founding Chair of the ASU Master of Science in Public Interest Technology, and the Technical Committee Co-Chair of Socio-Technical Systems at IEEE. She is a Senior Member of ACM SIGCAS.

Kathleen M. Vogel

School for the Future of Innovation in Society, Arizona State University, Tempe, AZ, USA

Kathleen M. Vogel is a Professor with the School for the Future of Innovation, Arizona State University, where she is a Senior Global Futures Scientist with the Global Futures Laboratory. She is a 2023 Non-Resident Fellow with the Irregular Warfare Initiative, a joint production of Princeton’s Empirical Studies of Conflict Project and the Modern War Institute at West Point. She was a Rutherford Fellow in the Defence and Security Programme with the Alan Turing Institute from 2018 to 2019, a Jefferson Science Fellow with the U.S. Department of State from 2016 to 2017, and a William C. Foster Fellow with the U.S. Department of State in 2003. She has previously served on the faculty of the University of Maryland at College Park, North Carolina State University, and Cornell University. She has also spent time as a Visiting Scholar with the Woodrow Wilson International Center for Scholars, Cooperative Monitoring Center, Sandia National Laboratories, and the Center for Nonproliferation Studies, Monterey Institute of International Studies. She is the author of Phantom Menace or Looming Danger?: A New Framework for Assessing Bioweapons Threats (Baltimore: The Johns Hopkins University Press, 2013). She is currently working on a book manuscript with Carl Ford on improving U.S. intelligence analysis.

Jeremy Pitt

School of Electrical Engineering, Imperial College London, London, U.K.

Jeremy Pitt received the B.Sc. degree in computer science from the University of Manchester and the Ph.D. degree in computing from the Imperial College, University of London. He is a Professor of Intelligent and Self-Organising Systems with the Department of Electrical and Electronic Engineering, Imperial College London. He has been teaching and researching on artificial intelligence and human-computer interaction for over 30 years, where his research programme has used computational logic to specify algorithmic models of social processes, with applications in cyber-physical and socio-technical systems, especially for sustainable, fair and legitimate self-governance. He has collaborated on research projects extensively in Europe as well as in India and New Zealand, and has held visiting professorial positions in Italy, Japan, and Poland. He has published more than 200 articles in journals, conferences, and workshops, and this work has received several Best Paper awards. He is an Editor of This Pervasive Day (ICPress, 2012) and The Computer After Me (ICPress 2014), and the author of Self-Organising Multi-Agent Systems (World Scientific, 2022). He was the Editor-in-Chief of IEEE Technology & Society Magazine He was the Editor-in-Chief of IEEE Technology & Society Magazine. He is a Trustee of the Association for Information Technology Trust and a Fellow of the British Computer Society (BC5), and of the Institution of Engineering and Technology.

Mariana Zafeirakopoulos

School of Design, The University of Sydney, Sydney, Australia

Mariana Zafeirakopoulos is a Social Design Academic with the University of Sydney’s School for Architecture, Design and Planning’s Design Lab, where she is also the Program Director for the Master of Design Program. She has almost 20 years of practice-based global experience working in strategic decision-making, insight and forecasting in national security and law enforcement contexts for government and private industry, particularly in areas of serious and organized crime and terrorism prevention. Over the last ten years, she has focused her research and practice on innovation and design to progress national security efforts in more humane and human-centred ways. Her transdisciplinarity approach unites practices from areas like futuring, social innovation, strategic design, systems thinking, and strategic intelligence to emerging complex contexts.

Citation: K. Michael, K. M. Vogel, J. Pitt and M. Zafeirakopoulos, "Artificial Intelligence in Cybersecurity: A Socio-Technical Framing," in IEEE Transactions on Technology and Society, vol. 6, no. 1, pp. 15-30, March 2025, doi: 10.1109/TTS.2024.3460740.

Previous
Previous

Exploring Social Robots for Healthy Older Adults: Aging With Companionship

Next
Next

Mitigating Risk and Ensuring Human Flourishing Using Design Standards: IEEE 2089–2021 an Age Appropriate Digital Services Framework for Children